Outline RFID and Applications What is it? How is it used? RFID applications
RFID Sensing and RFID Systems
RFIDAnatomy Systems
RFID Privacy
Mobile Sensor Computing Systems: RFID and RFID Sensing
RFID Tags Radio Frequency IDentification (RFID) Each tag has a unique ID. Anyone can read the ID through radio connection.
[Ari Juels, ajuels@rsasecurity.com RFID-Privacy Workshop at MIT 15 November 2003]
What is a Radio-Frequency Identification (RFID) tag?
In terms of appearance Chip (IC) Substrate Die attach Antenna
What is an RFID tag?
You may own a few RFID tags Proximity cards (contactless physical-access cards) ExxonMobil Speedpass EZ Pass
RFID in fact denotes a spectrum of devices:
What is an RFID tag?
You may own a few RFID tags Proximity cards (contactless physical-access cards) ExxonMobil Speedpass EZ Pass
RFID in fact denotes a spectrum of devices:
Basic RFID Tag
EZ Pass
SpeedPass
Mobile phone
What is a basic RFID tag?
Characteristics: Passive device receives power from reader Range of up to several meters In effect a smart label: simply calls out its (unique) name and/or static data
Frequency Read Range Comments 11 feet 915 MHz Read range up to 3.5m (11.48 ft) using unlicensed 915 MHz reader with one antenna; read range up to 7m (22.96 ft) with two antennas" Telenexus has developed a reader and antenna for the 915 MHz long-range RFID system...with a read range of over 15 feet. The tag is a low-cost passive transponder.
Passive
Passive
915 MHz
15 feet
Alien
Passive
915 MHz
17 feet
The maximum free space read range of these emulator tags is 5 meters, consistent with the performance of other known UHF passive tags. Read range depends on reader configuration and tag enclosure.30 W EIRP (USA site licensed):> 20m 4 W EIRP (USA unlicensed): 6-8m500 mW ERP (Europe): 1-2m The first product to come from the collaboration will be a handheld device that reads Matrics' passive EPC tagsThe unit will be able to read passive tags from up to 33 feet (10 meters) away
iPico
Passive
915 MHz
66 feet USA licensed 20-26 feetUSA unlicensed 3 7 feet EU
Matrics/Savi
Passive
unspecified
33 feet
The capabilities of a basic RFID tag
Little memory Static 64-to-128-bit identifier in current ultra-cheap generation (five cents / unit) Hundreds of bits soon Maybe writeable under good conditions
Little computational power
A few thousand gates Static keys for read/write permission No real cryptographic functions available
The grand vision:
RFID as next-generation barcode Barcode RFID tag Fast, automated scanning Line-of-sight Specifies object type Radio contact Uniquely specifies object
Provides pointer to database entry for every object, i.e., unique, detailed history
Some applications Better supply-chain visibility -- #1 compelling application U.S. DHS: Passports U.S. FDA: Pharmaceuticals, anti-counterfeiting Libraries Housepets approx. 50 million
Parenting logistics Water-park with tracking bracelet
RFID in Euro banknotes (?)
placed between layers of paper
Alien/RAFSEC S Tag in Bag
Tags can be sewn into clothing
Embedded in plastic
They can be integrated into paper
Inkodes chipless tag: Closeup of Inkode metal fibers embedded in paper
Soon these chips could appear on every Coke can
whether Coca-Cola is REALLY interested in uniquely identifying a single can of Coke among billions,
In answer to a questionabout
Michael [Okoroafor, in charge of technical solutions for Coca-Cola] replied with a resounding YES! - IDTechEx Magazine 2003
and on every pack of gum
Alien envisions [conductive] ink being mixed with regular packaging ink to create antennas on boxes of cereal and other disposable packaging
"With these things you could literally tag a pack of chewing gum. - Jacobsen, Alien Technology
Philips & RFID
We are market leader (nearly 1 billion products shipped) We intend to drive new RFID technologies and the integral ID market, together with key industry partners across the value chain
Key applications Supply chain and logistics Production control Asset management Brand protection Automotive immobilization, gas & toll payments (near field) Livestock tracking Public transport and room access Library management Retail Increase shoppers experience
Parenting logistics Water park uses RFID bracelets to track children
Consumer benefits Saves lives e.g. tire safety Helps commuters on public transport Reduces road congestion Improves shopping experience Authenticates brands and prevents fraud Can prevent, deter and help solve theft of high-value goods All chips meet international standards such as ISO-15693, ISO 18000 and AIDCs EPC
Commercial applications Smoother inventory tracking Military supply logistics Gulf War I: Placement of double orders to ensure arrival Gulf War II: RFID renders supply chain much more reliable
Procter & Gamble: Elimination of dock bottleneck -fast loading of pallets onto trucks Product recalls Anti-counterfeiting Maintaining shelf stocks in retail environments Gillette Mach3 razor blades Parenting logistics Water park uses RFID bracelets to track children
London Transport One of the largest roll-outs of contactless smart cards worldwide Fare collection across Londons entire underground train and bus networks A major step towards an integrated transport network for London 3 million cards during the first year of operation using Philips MIFARE technology
Toyota, South Africa
ICODE read/write tags enable production control of cars through to final assembly Both re-usable and disposable tags are used in the same installation Results: Stock reduced by 1 day Fitment and distribution planning greatly improved Required business information made available to distribution yards
From supply to retail METRO Group Future Store Initiative
The first broad, real life implementation of RFID technology in an European supermarket environment Goal is to improve customer service and increase supply chain efficiency in retailing METRO Group: We want to revolutionize the shopping experience for customers! Tagged products enable customers to simply swipe a CD or DVD to select a preview of the album or film they are considering purchasing
There is an impending explosion in RFID-tag use
Wal-Mart requiring top 100 suppliers to deploy RFID at pallet level from 2005 on Gillette announced order of 500,000,000 RFID tags Auto-ID Center at MIT Wal-Mart, Gillette, Procter & Gamble, etc. Spearheading EPC (electronic product code) data standard for tags Developing cheap manufacturing techniques Handing over standards to Uniform Code Council 2005: $0.05 per tag; $100 per reader 2010: $0.01 per tag; several dollars per reader (?)
Estimated costs RFID realm sometimes called Extended Internet
There is an impending explosion in RFID-tag use
EPCglobal Joint venture of UCC and EAN Wal-Mart, Gillette, Procter & Gamble, etc. Spearheading EPC (electronic product code) data standard for tags Putting finishing touches on basic-tag standard (Class 1 Gen 2) this week
Wal-Mart requiring top 100 suppliers to start deploying RFID in 2005 Other retailers and DoD following Wal-Mart lead Pallet and case tagging first -- item-level retail tagging seems years away Estimated costs 2005: $0.05 per tag; hundreds of dollars per reader 2008: $0.01 per tag; several dollars per reader (?)
A broader vision: Extended Internet
RFID Sensing and RFID Systems
Basic Elements of RFID systems RFID Application Developments
Elements of an RFID system
What is an RFID Reader?
(eg Savant)
Four main elements: Tags, Readers, Antennas, and Network Systems
RF system variables 1. 2. 3. 4. 5. Choice of operating frequency Tag IC, tag antenna design Reader, reader antenna design Proximate materials Sources of external interference
Major RFID markets by frequency
US, Canada 125KHz 13.56MHz 902-928MHz
EU Countries 125KHz 13.56MHz 868-870MHz
Japan 125KHz 13.56MHz 950-956MHz
RFID tags at different frequencies
125 KHz TI Philips Others 13.56 MHz Tagsys Philips TI Microchip Others 915 MHz Intermec SCS Matrics Alien Philips TI 2.4 GHz Intermec SCS Hitachi
Tag anatomy Substrate Die attach Tag IC
Antenna
Tag block diagram
Antenna Power Supply Tx Modulator Rx Demodulator Tag Integrated Circuit (IC) Control Logic (Finite State machine) Memory Cells
What does a reader do?
Primary functions: Remotely power tags Establish a bidirectional data link Inventory tags, filter results Communicate with networked server(s) Plastic #3
74AB8
5F8KJ3
Reader anatomy Digital Signal Processor (DSP)
Network Processor
Power Supply
915MHz Radio
13.56MHz Radio
Mobile, PDA, Scanner, ...
RFID System Architecture
Web-Client Monitoring-Client Access Point Reporting-Client Firewall @ Connector WebServer
RFID-Reader
Messaging-Server
Application Server
DB-Server
Other devices
? Connector External Information System
Vision The RFID System Architecture is a highly complex system! RFID solution merges the virtual world of data with the real world of RFID-tagged assets
antenna reader Smart Tag (RFID)/ Smart Product ID ID ID memory memory memory sensors sensors sensors unit processing processing unit processing unit communication communication communication interfaces interfaces interfaces RFID Antenna/ RFID Antenna/ RFID Antenna/ Reader Reader Reader receiver (read) receiver (read) receiver (read) transmitter transmitter transmitter (write) (write) (write)
Applications Applications Applications and Services and Services and Services ERP ERP ERP CRM CRM CRM SCM SCM SCM Ebusiness Ebusiness Ebusiness web services web services web services
Strassner: Automotive Study, 2004
Problems How is it possible to ensure system quality and reliability? Design of RFID System Architecture System Architecture, Integration of back-end and data capture
Management of RFID System Architecture
Roll out, Control, Maintenance
How is it possible to achieve an accurate virtual mapping of reality? Especially important in real-time systems Derivation of process performance figures At least starting point process improvements
Business Requirements (1/3)
Transformation of reader data into meaningful data
Sensors and Actuators
? Information Systems
Physical Object in a business process
Business Requirements (1/3)
Transformation of reader data into meaningful data Tasks Correction Aggregation Transformation Storage Information Systems
Sensors and Actuators
Physical Object in a business process
Business Requirements (1/3)
Transformation of reader data into meaningful data
Business Requirements (2/3)
Integration Expertise The case for integration the expected use of an Auto-ID System
Business Requirements (2/3)
Integration Expertise
The market for RFID system integration is far greater than the number of experienced RFID system integrators out there. [METAGroup 03]
Business requirements (3/3)
Management of complex RFID Infrastructure Scope of RFID Infrastructure determined by Selected applications Inter/intra-organizational dependency Local, regional, or global implementation Level of system integration Mobile, PDA, Scanner, ... Web-Client
Organizational Support Supporting processes Key Performance Indicators Involves operations experts, quality manager, IT, vendors, customers, trading partners, technology partners, operational staff Hardware deployment e.g. of huge quantities Tagged object management Software such as middleware, data applications Data security Risk of failure System reliability Facility management
RFID technologies Standardization and industrial associations: ISO, AIM (Association for Automatic Identification and Data Capture Technologies)
Applicability: Originally destined to electrical labelling, tracking and access applications Applications with ultra short-range non-symmetrical communication between a reader (master) and a transponder (slave) Applications with very low cost and power consumption (even passive devices) Applications with a usage model called physical browsing
Technical features: Many different commercial solutions based on several ISM bands, current mainstreams 125 kHz and 13.56 MHz Passive / active transponders Communication rate up to several hundreds of kilobits per second Communication range from a few millimeters to several tens of centimeters
Evolutions under preparation:
Long-range (up to several meters) RFID-technologies based on backscattering of the RF field (e.g. Palomar at VTT Information technology)
Vision: The Auto-ID Labs vision
Vision Summary RFID solution merges the virtual world of data with the real world of RFIDtagged assets
by providing accurate, real-world, real-time data and information solution enables companies to close the loop between capturing data converting data to meaningful information and automating all associated transactions and processes businesses will create smarter, more responsive and more adaptive business processes to execute adaptive supply chain networks
RFID System Radio Frequency IDentification (RFID) Each tag has a unique ID. Anyone can read the ID through radio connection. VERY USEFUL FOR GOODS FLOW CONTROL
Our Concern What if the tag is linked to your identity? What if someone is tracing the tag? PRIVACY VIOLATION (BIG BROTHER PROBLEM)
RFID Privacy Problems
Leakage of personal belongings data Leak data regarding belongings without awareness of user. What do they have?
Consumers
Adversary
ID tracing Monitor tag owners activity.
Adversary
www.rapturechrist.com/666.htm
NEW Subdermal Biochip Implant for Cashless Transactions - is it the Mark?
The mark is a microchip assembly which will be implanted under the skin of the right hand. Later on, the mark will be implanted under the forehead, so people who have no right hand could also have the mark. The microchip assembly, called radio frequency identification (RFID) is already used in animals. In dogs, the RFID is placed between the shoulder blades, and in birds it is implanted under the wing. Now there is a one for humans called VeriChip.
www.spychips.com, www.stoprfid.com
Unlike a bar code, [an RFID tag] can be read from a distance, right through your clothes, wallet, backpack or purse -- without your knowledge or consent -- by anybody with the right reader device. In a way, it gives strangers x-ray vision powers to spy on you, to identify both you and the things you're wearing and carrying.
Technical Approaches to Enhancing RFID Privacy
For RFID, we can consider different and weakened adversarial assumptions
Adversary is not present 24 hours a day Adversary must be physically close to tag to scan it
We can deploy security protocols on physical channels not just logical ones External, higher-capability devices can help protect tags
First approach [Juels, SCN 04]: Minimalist cryptography
Key observation: Adversary must have physical proximity to tag to interact with it Key assumption: Adversary can query tag only limited number of times in given attack session Example: Passive eavesdropping Adversary only hears queries made by legitimate readers
Example: Building access
Adversary has limited time to query tags in parking lot before employees authenticate to door readers
Example: Readers scattered around city
Pedestrians within range of reader for limited time
Pseudonym rotation Set of pseudonyms known only by trusted verifier Pseudonyms stored on tag Limited storage means at most, e.g., 10 pseudonyms
Tag cycles through pseudonyms
74AB8
= Strengthening the approach Strengthen restriction on adversarial queries using throttling Tag enforces pattern of query delays via, e.g., capacitordischarge timing
MMW91
Pseudonym refresh Trusted reader provides new pseudonyms Pseudonyms must be protected against eavesdropping and tampering using encryption, but tags cannot do standard cryptography! Can load up tag with one-time pads assuming adversary is not always present, some pads will be secret!
Not for retail items, which must include basic item information. Perhaps for prox. cards, tickets, etc.?
Second Approach [Juels, Rivest, & Szydlo CCS 03]:
The Blocker Tag
Blocker Tag Blocker simulates all (billions of) possible tag serial numbers!! 1,2,3, , 2023 pairs of sneakers and (reading fails)
Tree-walking anti-collision protocol for RFID tags
0 1
? 00 01 10 11
000
001
010
011
100
101
110
111
In a nutshell Tree-walking protocol for identifying tags recursively asks question: What is your next bit?
Blocker tag always says both 0 and 1!
Makes it seem like all possible tags are present Reader cannot figure out which tags are actually present Number of possible tags is huge (at least a billion billion), so reader stalls
Two bottles of Merlot #458790
Blocker tag system should protect privacy but still avoid blocking unpurchased items
Consumer privacy + commercial security
Blocker tag can be selective: Privacy zones: Only block certain ranges of RFID-tag serial numbers Zone mobility: Allow shops to move items into privacy zone upon purchase
Example: Tags might carry a privacy bit Blocker blocks all identifiers with privacy bit on Items in supermarket have privacy bit off On checkout, leading bit is flipped from off to on PIN required, as for kill operation
Blocking with privacy zones
0 00 01 1 10 Privacy zone
11
000
001
010
011
100
101
110
111
Transfer to privacy zone on purchase of item
Polite blocking We want reader to scan privacy zone when blocker is not present Aim of blocker is to keep functionality active when desired by owner
But if reader attempts to scan when blocker is present, it will stall! Polite blocking: Blocker informs reader of its presence Your humble servant requests that you not scan the privacy zone
An Example: The RXA Pharmacy
RFID-tagged bottle + Blocker bag
RFID-tagged bottle + Blocker bag
Soft Blocking [Juels and Brainard WPES 03]
Idea: Implement polite blocking only no hardware blocking
A little like P3P
External audit possible: Can detect if readers scanning privacy zone Advantages: Soft blocker tag is an ordinary RFID tag Flexible policy: Opt-in now possible e.g., Medical deblocker now possible
Weaker privacy, but can combine with hard blocker
Third approach: Personal Simulator or Proxy for RFID
Nokia mobile-phone RFID kit available in 2004 Readers will be compact, available in personal devices
We might imagine a simulation lifecycle:
1. Mobile phone acquires tag when in proximity 2. Mobile phone deactivates tags or imbues with changing pseudonyms 3. Mobile phone simulates tags to readers, enforcing user privacy policy 4. Mobile phone releases tags when tags about to exit range
Formal Security Requirement
Indistinguishability The output from tag A cannot be distinguished from that from tag B. The ouput from tag A at time T cannot be distinguished from that of at time T. Tag A Tag B 5709136824 1234567890 time T time T Reader
6123789035
time T
Stronger Property Forward Security Once the secret in the tag is stolen, all past activities can be traced by searching past logs. Forward security ensures that the latest memory in the tag does not give a hint to guess past outputs. So the past activities can be protected from tampering. secret information
output 2 time
output3 Tag A
output 4
Tampering!
Known Approaches (1/2)
ID Encryption (against personal belongings data leakage)
Hide ID by encryption so that only designated Reader can read it.
Re-encryption (against ID tracing)
Re-encrypt the encrypted IDs to vary the ciphertext from time to time. [KHKFO03] Anonymous ID Scheme [JP03] Re-encryption scheme Costly encryption is done by onon-line Reader. But offoff-line schemes (that allow the tags to protect privacy by themselves) are more useful.
Known Approaches (2/2)
ID Randomization approach Using Hash function that is much less costly than encryption. Allows tag to protect ID without any help of Reader. [WSRE03] using Randomized Hashing Simple No forward security
[This work] using Randomized Hash Chain
Simple Forward secure!
Hash Functions Functionality One-way (Preimage-free): hard to guess the input from the ouput
SHA-1, MD5, ...
Existing Schemes Hardware Implementation
12KGates for SHA-1 while 165KGates for Elliptic Curve Enciphering Security module should be < 2.5KGates to get a tag < 5 cents. Currently, it is hard to meet with 2.5KG boundary but hash functions are much more promising than public-key encryption.
Known Approaches (2/2)
ID Randomization approach Using Hash function that is much less costly than encryption. Allows tag to protect ID without any help of Reader. [WSRE03] using Randomized Hashing Simple No forward security
[OSK-NTT03] using Randomized Hash Chain
Simple Forward secure! [OSK-NTT03] Cryptographic Approach to Privacy-Friendly Tags
Cryptographic Approach to Privacy-Friendly Tags
Miyako Ohkubo, Koutarou Suzuki, and Shingo Kinoshita NTT Laboratories
Nippon Telegraph and Telephone Corporation 2003.11.15 RFID Privacy Workshop MIT
Contribution Defined security requirements Indistinguishability Forward security
Proposed scheme Low-cost Security requirements are satisfied Secret information is renewed using hash chain. Output of tag is changed every requests and random.
Future works Reduce the computational cost of back-end server Low-cost hash function
Outline 1. Introduction (RFID System and RFID Privacy Problem) 2. Our Contribution 1. Stronger security model Indistinguishability, forward security
2. A new scheme providing stronger security
low-cost and forward secure based on hash chain
3. Conclusion
Outline 1. Introduction (RFID System and RFID Privacy Problem) 2. Our Contribution 1. Stronger security model Indistinguishability, forward security
2. A new scheme providing stronger security
low-cost and forward secure based on hash chain
3. Conclusion
Proposed Scheme Tag Operation
Tag 1. Receives a request from reader. 2. Calculates a i by applying hash function G to si . 3. Calculates i+1 by applying hash function H to si , and overwrite in memory
Memory
si G Output
si +1
Overwrite
Tag
H G
One-way hash functions with different output distributions
ai
Proposed Scheme - Back-end
Back-end server
Server Operation
ai
Back-end server 1. Receives from reader. 2. For all ID,
. . .
DB
ai Tags output sent from reader
( ID,
s1
3. If the equation holds,
identifies ID from database. Identify ID through comparison with calculation result
ID
Implementation Issues Saving servers computation Cash latest value si to reduce calculation cost, back-end server reduces calculation cost. Apply efficient computing method for hash chain [Coppersmith and Jakobsson02][Sella03]. Our scheme allows parallel computation on the server-side.
RFID lifetime Using FRAM (100 million times) instead of simple memory, for example EPROM and RAM(hundred thousand times).
Application to Auto-ID System
Layout EPC 8bits Header
28bits EPC manager
24bits Object class
36bits Serial number
Version
Manufacture code
Article classification
Serial number
Extended code of our scheme
Header
Back-end server
Operation
ai
1. Reader sends an extended-EPC to the ONS server. 2. ONS server resolves address of back-end server and responds to reader. 3. Reader sends extended-EPC to back-end server. 4. Back-end server resolves extended-EPC to originalEPC and returns it to reader. 5. Next, the basic protocol in our scheme is performed.
Conclusion Defined security requirements Indistinguishability Forward security
Proposed scheme Low-cost Security requirements are satisfied Secret information is renewed using hash chain. Output of tag is changed every requests and random.
Future works Reduce the computational cost of back-end server Low-cost hash function
Propose Low-cost scheme, meeting the two security requirements
Secret information is renewed using hash chain. Output of tag is changed every requests and random.
Open issue for future work
Reduce the computational cost of back-end server Low-cost hash function
Three take-home messages
1. Deployed navely, embedding of RFID tags in consumer items can present a serious danger to privacy and security of consumers and enterprises alike in the future. 2. RFID is a technology with high promise. It would be unfortunate if security problems scotched it. 3. As technologists we must help to achieve a good balance of PRIVACY/SECURITY and UTILITY.
![Journal of Manufacturing Systems Volume 52 issue 2019 [doi 10.1016_j.jmsy.2019.05.001] Huang, Zhuoyu; Kim, Jiwon; Sadri, Alireza; Dowey, Steve; Dargusc -- Industry 4.0- Development of a multi-agent .pdf](https://imgv2-2-f.scribdassets.com/img/document/456667154/149x198/1422c201d8/1587021077?v=1)
